[Snort-devel] Compiling and Running Snort 2.9.8.0 on MAC OSX 10.11.3 (El Capitan)

Madhu Rao k.madhurao.123 at ...2499...
Mon Feb 15 20:58:10 EST 2016


I will work on it.. but see similar other URLs however none of them talk
about El capitan :)

I will send a doc back to WORD/PDF to Joel.

thanks,


On Mon, Feb 15, 2016 at 4:24 PM, Bill Parker <wp02855 at ...2499...> wrote:

> This information should be made into a document, turned into a PDF, and
> sent to Joel so he can install it on the Snort.org site in the documents
> section...<hint hint, Madhu> :)
>
> Bill
>
> On Mon, Feb 15, 2016 at 2:19 PM, Madhu Rao <k.madhurao.123 at ...2499...>
> wrote:
>
>> Joel
>>
>> thanks a bunch!! you pointed the issue!!
>> I was cutting and pasting the commands from Ubuntu machine... and trying
>> to run commands I ran on ubuntu....
>>
>> This worked now..
>>
>> sudo snort -c /etc/snort/snort.conf -i en0 -k none
>>
>>
>> I am able to fire up snort now on my MAC..
>>
>>
>> thanks EveryOne for the pointers..
>>
>> In case someone needs complete instructions I followed to BUILD snort
>> 2.9.8.1 on MAC OSX Version 10.11.3 (El Capitan) -- Here are the
>> istructions!
>>
>>
>> 1) Install Xcode (XCode includes the compiler and other libraries
>> required to compile Snort)
>>
>> 2) Install MacPorts from http://www.macports.org/
>>
>> Note: You may consider updating ports itself if you had installed ports
>> long back.   Try running 'sudo port selfupdate' & 'sudo port upgrade
>> outdated'
>>
>> 3) Install PCRE via MacPorts
>>
>> ‘sudo port install pcre’
>>
>> 4) Install wget via MacPorts
>>
>> 'sudo port install wget’
>>
>>
>>
>> 5) Download Dependent Packages and Make/Install them
>>
>> 5a) Install Directory
>>
>> Assume BUILD_DIR=/Users/mrjoe/work/snort  (note it can be any dir..)
>>
>> export BUILD_DIR=/Users/mrjoe/work/snort
>>
>>
>> 5a) DNET
>>
>> cd $BUILD_DIR
>>
>> wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
>>
>> tar xvfz libdnet-1.12.tgz
>>
>> cd libdnet-1.12
>>
>> ./configure
>>
>> sudo make install
>>
>>
>>
>>
>>
>> 5b) pkg-config
>>
>> snort madhurao$ wget
>> http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz
>>
>> tar -xvf pkg-config-0.28.tar.gz
>>
>> cd pkg-config-0.28
>>
>> ./configure --with-internal-glib
>>
>> sudo make install
>>
>>
>>
>> 5b) LuaJIT
>>
>> cd $BUILD_DIR
>>
>> wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
>>
>> tar xzvf LuaJIT-2.0.2.tar.gz
>>
>> cd LuaJIT-2.0.2
>>
>> make
>>
>> sudo make install
>>
>>
>> 5c) DAQ
>>
>> cd $BUILD_DIR
>>
>> wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
>>
>> tar xvfz daq-2.0.6.tar.gz
>>
>> cd daq-2.0.6
>>
>> ./configure --disable-afpacket-module
>>
>> make
>>
>> sudo make install
>>
>>
>>
>>
>>
>> 5) Download & Build Snort
>>
>>
>>
>> cd $BUILD_DIR
>>
>> wget –no-check-certificate  -O snort-2.9.8.0.tar.gz
>> https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
>>
>> ./configure --enable-sourcefire --enable-open-appid
>>
>> make
>>
>> sudo make install
>>
>>
>>
>> At this Point you can start configuring for a test run
>>
>>
>>
>>
>>
>>
>>
>> 8) Configure Snort without OpenAppID enabled:
>>
>> sudo mkdir /etc/snort
>>
>> sudo mkdir /var/log/snort
>>
>> sudo mkdir /usr/local/lib/snort_dynamicrules
>>
>> sudo mkdir /etc/snort/rules
>>
>> sudo touch /etc/snort/rules/white_list.rules
>>
>> sudo touch /etc/snort/rules/black_list.rules
>>
>>
>>
>>
>>
>> 9) Copy configuration files you build
>>
>> cd /Users/madhurao/work/snort/snort-2.9.8.0/etc/
>>
>> cp attribute_table.dtd file_magic.conf snort.conf unicode.map
>> classification.config gen-msg.map reference.config threshold.conf
>> /etc/snort/
>>
>>
>>
>>
>>
>> 10) Add some SNORT rules from snort.org
>>
>> cd $BUILD_DIR
>>
>> mkdir crules
>>
>> cd crules
>>
>> From the Website, Download the LATEST Snort Rules.
>>
>> https://www.snort.org/downloads/registered/snortrules-snapshot-2980.tar.gz
>>
>>      NOTE:  This CLI method does not work.. unfortunately.
>>
>>      wget
>> https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz
>> (You will need to snort.org with a username/password (FREE) to get this)
>>
>> tar -xvfz snortrules-snapshot-2962.tar.gz
>>
>> sudo cp -r preproc_rules /etc/snort
>>
>> sudo cp -r rules /etc/snort
>>
>> sudo cp -r so_rules /etc/snort
>>
>>
>>
>>
>>
>> 11) EDIT /etc/snort/snort.conf File
>>
>> cd /etc/snort
>>
>> sudo vi snort.conf
>>
>>      EDIT the following lines as shown
>>
>> var RULE_PATH /etc/snort/rules
>>
>> var SO_RULE_PATH /etc/snort/so_rules
>>
>> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>>
>> var WHITE_LIST_PATH /etc/snort/rules
>>
>> var BLACK_LIST_PATH /etc/snort/rules
>>
>>
>>
>>
>>
>> 11) Fire up snort and do self test (-T option)
>>
>> sudo snort -c /etc/snort/snort.conf -T
>>
>> ....you will see something like this
>>
>> Snort successfully validated the configuration!
>>
>> Snort exiting
>>
>>
>>
>>
>>
>> 12) Enabling OpenAppID in Snort
>>
>> wget https://www.snort.org/downloads/openappid/3192 -O
>> snort-openappid.tar.gz
>>
>> tar xvfz snort-openappid.tar.gz
>>
>> sudo mkdir /usr/local/lib/openappid
>>
>> sudo mv odp /usr/local/lib/openappid/
>>
>>
>>
>>      Edit the /etc/snort/snort.conf File
>>
>> sudo vi /etc/snort/snort.conf
>>
>>      Search for "Step #5: Configure preprocessors"
>>
>>      After this Line -- "preprocessor reputation:"  Add the following
>> Lines to enable OpenAppId.
>>
>>
>>
>> # AppID preprocessor. For more information see README.appid
>>
>> preprocessor appid : \
>>
>>    app_stats_filename appstats-unified.log, \
>>
>>    app_stats_period 60, \
>>
>>    app_detector_dir /usr/local/lib/openappid
>>
>>
>>
>> Finally, uncomment this Line in snort.conf file
>>
>> output unified2: filename merged.log, limit 128, nostamp,
>> mpls_event_types, vlan_event_types
>>
>>
>>
>>
>>
>> 12) Test snort with OpenAppID in Snort
>>
>> sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none
>>
>> sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i eth0
>> -k none
>>
>>
>>
>>
>>
>> You will see the Following when SNORT run properly on MAC
>>
>> MADHURAO-M-90DD:snort madhurao$ sudo snort -c /etc/snort/snort.conf --daq
>> pcap --daq-mode passive -i en0 -k none
>>
>> Password:
>>
>> Running in IDS mode
>>
>>
>>
>>         --== Initializing Snort ==--
>>
>> Initializing Output Plugins!
>>
>> ....
>>
>>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301
>> 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777
>> 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280
>> 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444
>> 41080 50002 55555
>>
>> ....
>>
>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
>>
>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>>
>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>>
>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>>
>>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>>
>>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>>
>>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>>
>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>>
>>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>>
>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>>
>>            Preprocessor Object: appid  Version 1.1  <Build 5>
>>
>> Commencing packet processing (pid=66645)
>>
>> ...
>>
>>
>>
>>  Cheers.
>>
>>
>>
>> On Mon, Feb 15, 2016 at 1:39 PM, Joel Esler (jesler) <jesler at ...3461...>
>> wrote:
>>
>>> I don’t think that the interface would be called “eth0” on a mac.  You
>>> may want to make sure you have the right device specified.
>>>
>>> --
>>> *Joel Esler*
>>> Manager, Talos Group
>>>
>>>
>>>
>>>
>>> On Feb 12, 2016, at 5:04 PM, Madhu Rao <k.madhurao.123 at ...2499...> wrote:
>>>
>>> Hi Folks
>>>
>>> Has anyone had Luck downloading and compiling snort 2.9.8.0 and get it
>>> working on Latest MAC OS X El Capitan ?
>>> I have a macbook pro running El Capitan. (OSX 10.11.3)
>>>
>>> I See the following Errors when I run Snort.
>>>
>>> $ sudo snort -c /etc/snort/snort.conf --daq pcap --daq-mode passive -i
>>> eth0 -k none
>>>
>>> pcap DAQ configured to passive.
>>>
>>> Acquiring network traffic from "eth0".
>>>
>>> Reload thread starting...
>>>
>>> Reload thread started, thread 0x700000081000 (41553)
>>>
>>> ERROR: Can't start DAQ (-1) - BIOCSETIF failed: Device not configured!
>>>
>>> Fatal Error, Quitting..
>>>
>>>
>>> BTW - when I configured DAQ, this was the outcome.
>>>
>>> $cd daq-2.0.6
>>>
>>> ./configure --disable-afpacket-module
>>>
>>> ...
>>>
>>> Build AFPacket DAQ module.. : no
>>> Build Dump DAQ module...... : yes
>>> Build IPFW DAQ module...... : yes
>>> Build IPQ DAQ module....... : no
>>> Build NFQ DAQ module....... : no
>>> Build PCAP DAQ module...... : yes
>>> Build netmap DAQ module.... : no
>>>
>>>
>>> Any pointers appreciated.
>>>
>>> -- madhu
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160215/9416606a/attachment.html>


More information about the Snort-devel mailing list